Software Security/Group 3/Verdict/V8.5 moreInfo
No functionalities for logging error messages nor for success messages are implemented. This die()-function is only used for error messaging, except for one case:
../update_to_FINAL.php:74: die("UPDATING COMPLETE -> 2.0.0 Final installed");
The message_die()-function is only used for the following cases and is tagged as such:
GENERAL_MESSAGE : Use for any simple text message, eg. results of an operation, authorisation failures, etc. GENERAL ERROR : Use for any error which occurs _AFTER_ the common.php include and session code, ie. most errors in pages/functions CRITICAL_MESSAGE : Used when basic config data is available but a session may not exist, eg. banned users CRITICAL_ERROR : Used when config data cannot be obtained, eg no database connection. Should _not_ be used in 99.5% of cases
So the only distinction between being 'security relevant' or not is by using these error message types.
Conclusion:
First of all, the ability to log error and success messages is required to be implemented. Secondly, we strongly suggest to tag every security relevant error message and also success messages. For this one should dig into the possible error and success messages that the database, PHP and any other component return, and then tag a error or success message whenever a certain message is returned.